Dynamic script analysis?

[rugk]

Maintaining these things hardcoded is cumbersome and does not scale.

It would be good, if it also had a "may look good"/"may look bad", as a "middle-step security". (e.g. accompanied by "You should review it below, anyway.".

It may e.g. analysis whether it uses "eval", or does internet connections or so.
Or do some checks on whether it is obsfuscated. (maybe detect long random strings or measure the entrophy of the whole file, or so)

[aral]

It does some of that already (e.g., fails on insecure URLs or if the script is too large) but yes, this is a good idea. That’s not to say that human validation won’t be important but it would be good to supplement that with heuristics as well as best practices. e.g., I learned from the nvm script how to ensure that the script only runs if the whole thing downloads and now I’ll be implementing it for the Site.js install script.

[rugk]

Yeah, also note the idea is to have a third state two more states that is are "has been automatically been verified as good/bad".